Archive
Highlighted

Monitor splunk file after restart

Contributor

On the Splunk docs it is given as

How Splunk Enterprise handles monitoring of files during restarts
When the Splunk server is restarted, it continues processing files where it left off. It first checks for the file or directory specified in a monitor configuration. If the file or directory is not present on start, Splunk Enterprise checks for it every 24 hours from the time of the last restart. The monitor process scans subdirectories of monitored directories continuously

Suppose if I deployed inputs to monitor a file and restarted splunk after deploying and If the monitored file was not created yet. Does splunk enterprise check for that file only after 24 hours to reads the file. What if the file created after few minutes after restart. Will it be ignored until 24 hrs of restart.

Suppose I gave wildcard for file name, Does it behave same. I can see newly created file was read by splunk immediately when it created for wild card file names.

0 Karma
Highlighted

Re: Monitor splunk file after restart

Builder

as per the document, during restart ,If the file or directory is not present on start, Splunk Enterprise checks for it every 24 hours from the time of the last restart.

yes, as per the document file will be ignored until next check. not tested.

if you are monitoring the existing directory, newly created file under this monitored directory will be monitored immediately.

0 Karma
Highlighted

Re: Monitor splunk file after restart

Contributor

How it works , if you use the wild card in file or directory name. such as

[monitor.....././..../abc*

Does the file with name "abcd" which is created after few hours of restart will be ignored until 24 hours? OR Is there any exception for this scenario?

0 Karma
Highlighted

Re: Monitor splunk file after restart

Builder

if there is any exception in this scenario , that would be described in the doc.

0 Karma
Highlighted

Re: Monitor splunk file after restart

Motivator

Whenever a file is created or modified, splunk will monitor it immediately.

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.